Fix eval, which was broken by merging from bleeding_edge.

src/codegen-ia32.cc

 // Copyright 2006-2008 the V8 project authors. All rights reserved.
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions are
 // met:
 //
 //     * Redistributions of source code must retain the above copyright
 //       notice, this list of conditions and the following disclaimer.
 //     * Redistributions in binary form must reproduce the above
 //       copyright notice, this list of conditions and the following
 //       disclaimer in the documentation and/or other materials provided
@@ skipping 3089 matching lines @@
   // constructor invocation.
   __ RecordPosition(node->position());
   Handle<Code> ic(Builtins::builtin(Builtins::JSConstructCall));
   frame_->CallCodeObject(ic, RelocInfo::CONSTRUCT_CALL, args->length() + 1);
   // Discard the function and "push" the newly created object.
   __ mov(frame_->Top(), eax);
 }
 
 
 void CodeGenerator::VisitCallEval(CallEval* node) {
+  frame_->SpillAll();
   Comment cmnt(masm_, "[ CallEval");
 
   // In a call to eval, we first call %ResolvePossiblyDirectEval to resolve
   // the function we need to call and the receiver of the call.
   // Then we call the resolved function using the given arguments.
 
   ZoneList<Expression*>* args = node->arguments();
   Expression* function = node->expression();
 
   RecordStatementPosition(node);
 
   // Prepare stack for call to resolved function.
   Load(function);
-  __ push(Immediate(Factory::undefined_value()));  // Slot for receiver
-  for (int i = 0; i < args->length(); i++) {
+  frame_->SpillAll();
+  // Allocate a frame slot for the receiver.
+  frame_->EmitPush(Immediate(Factory::undefined_value()));
+  int arg_count = args->length();
+  for (int i = 0; i < arg_count; i++) {
     Load(args->at(i));
+    frame_->SpillAll();
   }
 
   // Prepare stack for call to ResolvePossiblyDirectEval.
-  __ push(Operand(esp, args->length() * kPointerSize + kPointerSize));
-  if (args->length() > 0) {
-    __ push(Operand(esp, args->length() * kPointerSize));
+  frame_->EmitPush(frame_->ElementAt(arg_count + 1));
+  if (arg_count > 0) {
+    frame_->EmitPush(frame_->ElementAt(arg_count));
   } else {
-    __ push(Immediate(Factory::undefined_value()));
+    frame_->EmitPush(Immediate(Factory::undefined_value()));
   }
 
   // Resolve the call.
-  __ CallRuntime(Runtime::kResolvePossiblyDirectEval, 2);
+  frame_->CallRuntime(Runtime::kResolvePossiblyDirectEval, 2);
 
   // Touch up stack with the right values for the function and the receiver.
   __ mov(edx, FieldOperand(eax, FixedArray::kHeaderSize));
-  __ mov(Operand(esp, (args->length() + 1) * kPointerSize), edx);
+  __ mov(frame_->ElementAt(arg_count + 1), edx);
   __ mov(edx, FieldOperand(eax, FixedArray::kHeaderSize + kPointerSize));
-  __ mov(Operand(esp, args->length() * kPointerSize), edx);
+  __ mov(frame_->ElementAt(arg_count), edx);
 
   // Call the function.
   __ RecordPosition(node->position());
 
-  CallFunctionStub call_function(args->length());
-  __ CallStub(&call_function);
+  CallFunctionStub call_function(arg_count);
+  frame_->CallStub(&call_function, arg_count + 1);
 
   // Restore context and pop function from the stack.
   __ mov(esi, frame_->Context());
   __ mov(frame_->Top(), eax);
 }
 
 
 void CodeGenerator::GenerateIsSmi(ZoneList<Expression*>* args) {
   ASSERT(args->length() == 1);
   Load(args->at(0));
@@ skipping 2323 matching lines @@
 
   // Slow-case: Go through the JavaScript implementation.
   __ bind(&slow);
   __ InvokeBuiltin(Builtins::INSTANCE_OF, JUMP_FUNCTION);
 }
 
 
 #undef __
 
 } }  // namespace v8::internal